Bug#948854: buster-pu: package git-lfs/2.7.1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
git-lfs FTBFS in stretch since some security updates were applied to
golang-1.11. #940485
Let's cherry-pick the corresponding fix from sid.
The updated package is already uploaded.
Andreas
diff -Nru git-lfs-2.7.1/debian/changelog git-lfs-2.7.1/debian/changelog
--- git-lfs-2.7.1/debian/changelog 2019-02-27 06:33:53.000000000 +0100
+++ git-lfs-2.7.1/debian/changelog 2020-01-14 00:26:10.000000000 +0100
@@ -1,3 +1,13 @@
+git-lfs (2.7.1-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Stephen Gelman ]
+ * Backport a fix from upstream that fixes FTBFS under Go 1.12.8, 1.11.13
+ (aka 1.11.6-1+deb10u1) (Closes: #940485)
+
+ -- Andreas Beckmann <anbe@debian.org> Tue, 14 Jan 2020 00:26:10 +0100
+
git-lfs (2.7.1-1) unstable; urgency=medium
* New upstream release
diff -Nru git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch
--- git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch 1970-01-01 01:00:00.000000000 +0100
+++ git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch 2020-01-14 00:26:10.000000000 +0100
@@ -0,0 +1,61 @@
+From f06492430e8f4a37136c746a29cffb7149beae08 Mon Sep 17 00:00:00 2001
+From: "brian m. carlson" <bk2204@github.com>
+Date: Wed, 14 Aug 2019 14:49:48 +0000
+Subject: [PATCH] lfsapi: fix URL parsing with Go 1.12.8
+
+Go 1.12.8 introduces a security fix for parsing URLs that contain a
+colon followed by an invalid port number. Since our SSH remotes can
+contain just such a colon, our hack to make these into URLs no longer
+works.
+
+Fix this by replacing the first colon in these "URLs" with a slash,
+which is a path delimiter, which makes them parsable by newer versions
+of Go. Update the name of the function since it now does more than its
+previous name implies.
+---
+ lfsapi/auth.go | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lfsapi/auth.go b/lfsapi/auth.go
+index 5a99a5b01..1de332e99 100644
+--- a/lfsapi/auth.go
++++ b/lfsapi/auth.go
+@@ -192,7 +192,7 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote string, apiEndpoint l
+
+ if len(remote) > 0 {
+ if u := ef.GitRemoteURL(remote, operation == "upload"); u != "" {
+- schemedUrl, _ := prependEmptySchemeIfAbsent(u)
++ schemedUrl, _ := fixSchemelessURL(u)
+
+ gitRemoteURL, err := url.Parse(schemedUrl)
+ if err != nil {
+@@ -214,12 +214,13 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote string, apiEndpoint l
+ return apiURL, nil
+ }
+
+-// prependEmptySchemeIfAbsent prepends an empty scheme "//" if none was found in
+-// the URL in order to satisfy RFC 3986 §3.3, and `net/url.Parse()`.
++// fixSchemelessURL prepends an empty scheme "//" if none was found in
++// the URL and replaces the first colon with a slash in order to satisfy RFC
++// 3986 §3.3, and `net/url.Parse()`.
+ //
+ // It returns a string parse-able with `net/url.Parse()` and a boolean whether
+ // or not an empty scheme was added.
+-func prependEmptySchemeIfAbsent(u string) (string, bool) {
++func fixSchemelessURL(u string) (string, bool) {
+ if hasScheme(u) {
+ return u, false
+ }
+@@ -231,7 +232,11 @@ func prependEmptySchemeIfAbsent(u string) (string, bool) {
+ // First path segment has a colon, assumed that it's a
+ // scheme-less URL. Append an empty scheme on top to
+ // satisfy RFC 3986 §3.3, and `net/url.Parse()`.
+- return fmt.Sprintf("//%s", u), true
++ //
++ // In addition, replace the first colon with a slash since
++ // otherwise the colon looks like it's introducing a port
++ // number.
++ return fmt.Sprintf("//%s", strings.Replace(u, ":", "/", 1)), true
+ }
+ return u, true
+ }
diff -Nru git-lfs-2.7.1/debian/patches/series git-lfs-2.7.1/debian/patches/series
--- git-lfs-2.7.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ git-lfs-2.7.1/debian/patches/series 2020-01-14 00:26:10.000000000 +0100
@@ -0,0 +1 @@
+0002-fix-url-parsing.patch
Reply to: